You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* IP to Encap Traffic: The IP to Encap traffic is from ATE Ports [1,2] to ATE Ports [3,4,5,6].
24
24
25
-
* Encap to IP Traffic: The Encap traffic to IP traffic is from ATE Ports [3,4,5,6] to ATE Ports [1,2].
25
+
* Encap to IP Traffic: The Encap traffic to IP traffic is from ATE Ports [3,4,5,6] to ATE Ports [1,2].
26
26
27
27
Please refer to the MPLSoGRE [encapsulation PF-1.14](feature/policy_forwarding/otg_tests/mpls_gre_ipv4_encap_test/README.md) and [decapsulation PF-1.12](feature/policy_forwarding/otg_tests/mpls_gre_ipv4_decap_test/README.md) READMEs for additional information on the test traffic environment setup.
28
28
29
29
## PF-1.17.1: Generate DUT Configuration
30
30
### MACsec
31
31
* Configure MACsec Static Connectivity Association Key (CAK) Mode on both ends of the aggregate bundle links connecting ATE ports 1,2 and DUT:
32
-
* Define first Policy(1) to cover must-secure scenario
33
-
* Define second Policy(2) to cover should-secure scenario
32
+
* Define first Policy(1) to cover must-secure scenario, as defined below
33
+
* Define second Policy(2) to cover should-secure scenario, as defined below
34
34
* Define 5 pre-shared keys (with overlapping time of 1 minute and lifetime of 2 minutes) for both Policy(1) and Policy(2)
35
-
* Each pre-shared key mush have a unique Connectivity Association Key Name(CKN) and Connectivity Association Key(CAK)
36
-
* Set CKN as encrypted/hidden in the running configuration
35
+
* Each pre-shared key must have a unique Connectivity Association Key Name(CKN) and Connectivity Association Key(CAK)
36
+
* Set CAK as encrypted/hidden in the running configuration
37
37
* Use 256 bit cipher GCM-AES-256-XPN and an associated 64 char CAK-CKN pair
38
38
* Set Key server priority: 15
39
-
* Set Security association key rekey interval: 28800 seconds
39
+
* Set Security association key rekey interval: 30 seconds (test only)
40
40
* Set MACsec confidentiality offset: 0
41
-
* Set Replay Protection Window size: 64
42
-
* Set ICV enabled:True
43
-
* Set SCI enabled:True
44
-
* Set Out of sequence protection window size:64
45
-
* Set maximum value of Association Number: 3 (NOTE: This is currently not configurable)
41
+
* Set Replay Protection Window (out-of-sequence protection) size: 64
42
+
* Include ICV indicator:True
43
+
* Include SCI:True
44
+
* Set maximum value of Association Number: 3 (NOTE: This is currently not configurable and is not included in the test cases)
46
45
47
46
## PF-1.17.2: Verify PF MPLSoGRE and MPLSoGUE traffic forwarding with MACSec must-secure policy
48
47
* Generate bidirectional traffic as highlighted in the test environment setup section:
@@ -57,7 +56,7 @@ Verify:
57
56
* No packet loss while forwarding at line rate
58
57
* Traffic equally load-balanced across bundle interfaces in both directions
59
58
* Header fields are as expected in both directions
60
-
* Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by disabling MACsec on ATE ports
59
+
* Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports
61
60
62
61
## PF-1.17.3: Verify PF MPLSoGRE and MPLSoGUE traffic forwarding with MACSec should-secure policy
63
62
* Generate bidirectional traffic as highlighted in the test environment setup section:
@@ -72,7 +71,7 @@ Verify:
72
71
* No packet loss while forwarding at line rate
73
72
* Traffic equally load-balanced across bundle interfaces in both directions
74
73
* Header fields are as expected in both directions
75
-
* Traffic is not dropped when the should-secure MACSec sessions are down by disabling MACsec on ATE ports
74
+
* Traffic is not dropped when the should-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports
76
75
77
76
## PF-1.17.4: Verify MACSec key rotation
78
77
* Generate bidirectional traffic as highlighted in the test environment setup section:
@@ -90,119 +89,129 @@ Verify:
90
89
* No packet loss when keys one through five expires as configured
91
90
* 100 percent packet loss after all the keys configured expires
92
91
92
+
## PF-1.17.5: Verify standard Security-Association timer
93
+
* Generate bidirectional traffic as highlighted in the test environment setup section:
94
+
* MPLSoGRE traffic with IPV4 and IPV6 payloads from ATE ports 3,4,5,6
95
+
* MPLSoGUE traffic with IPV4 and IPV6 payloads from ATE ports 3,4,5,6
96
+
* IPV4 and IPV6 traffic from ATE ports 1,2
97
+
* Use 64, 128, 256, 512, 1024.. MTU bytes frame size.
98
+
* Enable must secure policy (Policy(1)) on both interfaces ATE ports 1,2 and DUT
99
+
* Set the security association key rekey interval to 28800 seconds
93
100
94
-
## Canonical OpenConfig for MACsec configuration
101
+
Verify:
102
+
* Verify the SAK key value is accepted by the DUT
103
+
* Verify that MACsec sessions are up
104
+
* No packet loss while forwarding at line rate
105
+
106
+
## Definitions
107
+
**must-secure:* All non-macsec-control packets must be encrypted. On transmit (tx), packets are dropped if encryption is not used or if keys have expired. On receive (rx), unencrypted packets that should be secure or encrypted with expired keys are dropped.
108
+
**should-secure:* Unencrypted packets are permitted. On receive (rx), it's recommended but not required to drop unencrypted packets if a macsec session is active. On transmit (tx), it's recommended but not required to send unencrypted packets if macsec session negotiation has failed.
0 commit comments